Data Security is Policies, Not Technology

HUNTINGTON BEACH, Calif.-From hand-held devices that can execute trades, to networks able to beam reams of information to third-party transfer agents halfway across the globe, technology is evolving at lightning speed, sending billions more bytes of data into cyberspace with each innovation.

Much of that information is sensitive, and none of it is completely secure.

Part of the problem is that investment companies and their service providers just can not stay ahead of the curve when it comes to anticipating the next security breach, experts told attendees of the Investment Company Institute's Operations and Technology Conference and Service Provider Expo last week.

"One of the most important things to know about security is that the threats are always changing," said Michael Radziemski, chief information officer for Lord Abbett in New York.

The best way to control those threats is not with more technology or sophisticated software packages, members of a panel on information and security agreed, but rather through good, old-fashioned pen-and-paper policies that develop a strong corporate culture.

"When the Securities and Exchange Commission asks about security, you can stack a bunch of big books and manuals in front of them, but what they're looking for is a control environment, and they want to see how it is related to all employees," said Victor Frye, chief compliance officer for ProFund Advisors in Bethesda, Md.

From Social Security numbers, names and addresses, to linked bank accounts, income and tax data, the information traded between fund companies and their vendors-and in some cases their vendors' vendors-provides a veritable gold mine of data to identity thieves.

The first step to protecting customers' private information is for companies to identify vulnerabilities within their own systems, said Carl Herberger, president of Allied InfoSecurity.

Companies should also recognize that not all threats are external. "Every employee is an inroad for problems," Frye said. "You can't control every employee 24/7, but you can set a controlled environment."

And the industry is only at the start of the road. Although 18 states and counting have specific laws regarding privacy protection (Pennsylvania's new law will soon go into effect), fund companies and their contractors would be best served by working together to develop a standard that is industry-wide, he said, before the government dictates how their businesses should run with disparate rules in different jurisdictions.

Once a company determines the controls it can use to protect sensitive data, it's important to articulate to investors and to regulators the limits of those safeguards, he said.

"The notion that you can build an intrusion-free organization is just absurd," said Herberger. "The question is how much of a delay mechanism you can employ."

One such delay mechanism is encryption of electronic messages, such as e-mail. Although it may prevent phishers-those who troll the cyberspace to skim sensitive data-today, there's no guarantee they won't figure out a way to crack the code tomorrow.

"It's nothing more than a momentary solution in a game of cat and mouse," Herberger said. Avoiding getting caught in that game demands companies protect themselves with strong computer usage policies and a code of ethics that is enforced.

Radziemski suggested annual policy reviews by a third party to bring a new perspective and insight into regulatory changes, which seem sometimes to come as quickly as technological shifts.

"You want to be able to prove your audit trail is legitimate," Radziemski said.

If upper management hesitates to agree to privacy provisions for fear they may impede business flow, Herberger recommended a "permeation test" or "ethical hack." Confronted with evidence of what a hacker could do, managers often instantly recognize the value of electing security over convenience, he said. "When quality goes up, so do profits," Radziemski agreed. When things go wrong, on the other hand, the business costs, whether measured in fines or reputation, can be unbearable, he said.

Vendors also should have standards and controls, Frye said, and their risk assessment policies and methodologies should be in writing, so that they have an audit trail of their own. This is especially critical in cases where a vendor is one of many with which a fund deals.

"In case of a breach, your first line of defense is to go to the SEC and show you are not the wrongdoer, he said.

In the case of an SEC exam, Frye advised companies to know exactly what investigators are seeking. If a chief compliance officer can explain in detail the controls both their company and their service providers apply, examiners will often pull back, he said. "If you are unable [to show these controls], they will continue to probe in this area," he said.

Increasingly, SEC examiners are looking at how companies guarantee that customers are who they claim to be when they access their accounts, especially online.

CCOs should fully understand how information technology systems work, what security tests entail and have a sense of the ongoing results not only for their company, but, as fiduciaries, for their vendors, too, he said.

"You can't be a perfectionist in this business," Frye said, "but you are expected to have a reasonable program."